Xianwei Gao,Lian Xue,Zishan Tian

DOI: https://doi.org/10.1109/EEI59236.2023.10212585

2023-06-30

Abstract:The Number Theoretical Transform (NTT) plays a crucial role in post-quantum cryptography algorithms, with its computational performance directly impacting system operating speed. This article proposes a high-performance NTT hardware architecture based on a pipeline architecture to address the challenges of lengthy computing processes and complex control logic in NTT hardware implementation. Firstly, a recursive NTT is advanced to simplify the calculation process and facilitate hardware implementation. Next, effective pipeline segmentation is applied to the computing process to reduce hardware architecture complexity. Finally, a two-stage butterfly operation is employed to implement butterfly elements, and the reduction calculation process is optimized using shift and addition, resulting in reduced hardware resource costs. The proposed NTT hardware architecture is implemented on Quartus II (EP2AGZ225FF35C3) taking the CRYSTALS-Kyber anti-quantum cryptography scheme as an example, since the selected prime number can meet requirements. Experimental results demonstrate that the proposed design outperforms other related designs in terms of computational performance and hardware overhead.

Engineering,Computer Science

Zhichuang Liang,Boyue Fang,Jieyu Zheng,Yunlei Zhao

DOI: https://doi.org/10.1016/j.csi.2023.103828

IF: 3.721

2024-01-01

Computer Standards & Interfaces

Abstract:The NTRU lattice is a promising candidate to construct practical cryptosystems, in particular key encapsulation mechanism (KEM), resistant to quantum computing attacks. Nevertheless, there are still some inherent obstacles to NTRU-based KEM schemes when considering integrated performance, taking security, bandwidth, error probability, and computational efficiency as a whole, that is as good as and even better than their {R,M}LWE-based counterparts. In this work, we address the challenges by presenting a new family of NTRU-based KEM schemes, denoted as CTRU and CNTR. By bridging low-dimensional lattice codes and high-dimensional NTRU-lattice-based cryptography with careful design and analysis, to the best of our knowledge, CTRU and CNTR are the first NTRU-based KEM schemes featuring scalable ciphertext compression via only one single ciphertext polynomial, and are the first that can outperform {R,M}LWE-based KEM schemes in terms of integrated performance. For instance, when compared to Kyber, the only KEM scheme currently standardized by NIST, our recommended parameter set CNTR-768 exhibits approximately 12% smaller ciphertext size, when its security is strengthened by (8,7) bits for classical and quantum security respectively, with a significantly lower error probability (2−230 for CNTR-768 vs. 2−164 for Kyber-768). In terms of the state-of-the-art AVX2 implementation of Kyber-768, CNTR-768,achieves a speedup of 2.7X in KeyGen, 3.3X in Encaps, and 1.6X in Decaps, respectively. When compared to the NIST Round 3 finalist NTRU-HRSS, CNTR-768,features 15% smaller ciphertext size, coupled with an improvement of (55,49) bits for classical and quantum security respectively. As for the AVX2 implementation, CNTR-768,outperforms NTRU-HRSS by 26X in KeyGen, 3.0X in Encaps, and 2.2X in Decaps, respectively. Along the way, we develop new techniques for more accurate error probability analysis, and a unified number theoretic transform (NTT) implementation for multiple parameter sets, which may be of independent interest.

Zhenhui Qin,Rui Tong,Xingjun Wu,Guoqiang Bai,Liji Wu,L. Su

DOI: https://doi.org/10.1109/cisce52179.2021.9446042

2021-01-01

Abstract:With the emergence and development of quantum computers, the traditional public-key cryptography (PKC) is facing the risk of being cracked. In order to resist quantum attacks and ensure long-term communication security, NIST launched a global collection of Post Quantum Cryptography (PQC) standards in 2016, and it is currently in the third round of selection. There are three Lattice-based PKC algorithms that stand out, and NTRU is one of them. In this article, we proposed the first complete and compact full hardware implementation of NTRU algorithm submitted in the third round. By using one structure to complete the design of the three types of complex polynomial multiplications in the algorithm, we achieved better performance while reducing area costs.

Xiangren Chen,Bohan Yang,Shouyi Yin,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.46586/tches.v2022.i1.94-126

2021-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:Number theoretic transform (NTT) is widely utilized to speed up polynomial multiplication, which is the critical computation bottleneck in a lot of cryptographic algorithms like lattice-based post-quantum cryptography (PQC) and homomorphic encryption (HE). One of the tendency for NTT hardware architecture is to support diverse security parameters and meet resource constraints on different computing platforms. Thus flexibility and Area-Time Product (ATP) become two crucial metrics in NTT hardware design. The flexibility of NTT in terms of different vector sizes and moduli can be obtained directly. Whereas the varying strides in memory access of in-place NTT render the design for different radix and number of parallel butterfly units a tough problem. This paper proposes an efficient conflict-free memory mapping scheme that supports the configuration for both multiple parallel butterfly units and arbitrary radix of NTT. Compared to other approaches, this scheme owns broader applicability and facilitates the parallelization of non-radix-2 NTT hardware design. Based on this scheme, we propose a scalable radix-2 and radix-4 NTT multiplication architecture by algorithm-hardware co-design. A dedicated schedule method is leveraged to reduce the number of modular additions/subtractions and modular multiplications in radix-4 butterfly unit by 20% and 33%, respectively. To avoid the bit-reversed cost and save memory footprint in arbitrary radix NTT/INTT, we put forward a general method by rearranging the loop structure and reusing the twiddle factors. The hardware-level optimization is achieved by excavating the symmetric operators in radix-4 butterfly unit, which saves almost 50% hardware resources compared to a straightforward implementation. Through experimental results and theoretical analysis, we point out that the radix-4 NTT with the same number of parallel butterfly units outperforms the radix-2 NTT in terms of area-time performance in the interleaved memory system. This advantage is enlarged when increasing the number of parallel butterfly units. For example, when processing 1024 14-bit points NTT with 8 parallel butterfly units, the ATP of LUT/FF/DSP/BRAM n radix-4 NTT core is approximately 2.2 × /1.2 × /1.1 × /1.9 × less than that of the radix-2 NTT core on a similar FPGA platform.

Neslihan Yaman Gökce,Anıl Burak Gökce,Murat Cenk

DOI: https://doi.org/10.1016/j.jisa.2023.103688

IF: 4.96

2024-01-08

Journal of Information Security and Applications

Abstract:The fast and efficient operation of post-quantum cryptographic algorithms has become an important research topic, especially with the recent developments and the process of the PQC Standardization Project by NIST. Various algorithms based on lattices are chosen to be finalists in this project. Number Theoretic Transform (NTT), Toom–Cook, Karatsuba, and Toeplitz matrix–vector product (TMVP) are considered in order to efficiently perform multiplications in quotient polynomial rings required by the cryptographic schemes based on lattices. In this paper, we propose a 5-way split TMVP-based algorithm for multiplication in polynomial quotient rings and determine its computational complexity . The new algorithm is derived from a 5-term polynomial multiplication algorithm using 13 multiplications with coefficients of only 1 or -1 that provide efficiency. We also implement it for all parameter sets of NTRU. The results show that we have up to 34%, 35%, and 157% speed-up against Toom4-Karatsuba implementation in key generation, encapsulation, and decapsulation, respectively.

computer science, information systems

Changxu Liu,Danqing Tang,Jie Song,Hao Zhou,Shoumeng Yan,Fan Yang

DOI: https://doi.org/10.1145/3649476.3658734

2024-01-01

Abstract:In privacy-preserving applications like Post-Quantum Cryptography (PQC) and Fully Homomorphic Encryption (FHE), polynomial multiplication is common, and the Number Theoretic Transform (NTT) is a key algorithm for reducing its complexity. In this paper, we present HMNTT, a highly efficient MDC-NTT architecture. Utilizing the four-step NTT algorithm and a pipelined transpose module, HMNTT offers a highly efficient and scalable architecture for handling NTT with large degrees. We optimize the processing element (PE) to alleviate backpressure and data conflicts in data flow. Leveraging FPGA characteristics, we construct a modular multiplication module to reduce resource usage and improve operating frequency. Evaluation results indicate that HMNTT achieves an average of 2.34x and 1.26x reduction in Area-Time Product compared to the latest pipelined NTT architectures.

Minjoo Sim,Minwoo Lee,Hwajeong Seo

DOI: https://doi.org/10.3390/electronics13193863

IF: 2.9

2024-09-30

Electronics

Abstract:In this work, we present the highly optimized implementation of the HAETAE algorithm, submitted to the second round of the Korean Post-Quantum Cryptography (KpqC) competition and to the first round of NIST's additional post-quantum standardization for digital signatures on 64-bit ARMv8 embedded processors. To the best of our knowledge, this is the first optimized implementation of the HAETAE algorithm on 64-bit ARMv8 embedded processors. We apply various optimization techniques to enhance the multiplication operations in the HAETAE algorithm. We utilize parallel operation techniques involving vector registers and NEON (Advanced SIMD technology used in ARM processors) instructions of ARMv8 embedded processors. In particular, we achieved the best performance of the HAETAE algorithm on ARMv8 embedded processors by applying all the state-of-the-art NTT (Number Theoretic Transform) implementation techniques. Performance improvements of up to 3.07×, 3.63×, and 9.15× were confirmed for NTT, Inverse-NTT, and pointwise Montgomery operations (Montgomery multiplication used in modular arithmetic), respectively, by applying the state-of-the-art implementation techniques, including the proposed techniques. As a result, we achieved a maximum performance improvement of up to 1.16× for the key generation algorithm, up to 1.14× for the signature algorithm, and up to 1.25× for the verification algorithm.

engineering, electrical & electronic,computer science, information systems,physics, applied

Yihong Zhu,Wenping Zhu,Yi Ouyang,Junwen Sun,Min Zhu,Qi Zhao,Jinjiang Yang,Chen Chen,Qichao Tao,Guang Yang,Aoyang Zhang,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.1109/ISSCC49657.2024.10454332

2024-01-01

Abstract:The migration towards post-quantum cryptography (PQC) is in progress to secure communications and transactions against the impending quantum threat, while three key-encapsulation mechanisms (KEM) and one digital signature (DS) scheme are being standardized by NIST [1]. This multi-year migration poses serious challenges to PQC implementations for compatibility and performance requirements in various scenarios and settings: 1) Performance limitations caused by diverse computation patterns and relatively higher computation costs. 2) Crypto-agility resulting from different mathematical problems, various security parameters, or even different standardization bodies. 3.) Domain-specific optimization to address the long-term security of the evolving algorithm families. However, most existing PQC accelerators [2, 3, 5] were only customized for specific algorithms based on unique mathematical problems. The latest configurable PQC processor [4] did not support Falcon and Sphincs+, which are being drafted for standardization. To address this issue, a versatile PQC processor fabricated in 28nm is presented with three key features: 1) task-clustering-based architecture for scalable processing with aggressive parallelism; 2) region-based task-path (TP) with dynamic update for agile cryptographic computing; 3) efficient PQC task-operators (TO), including hash/sample, format, floating-point/complex, encoding/decoding operators, for further improvements on throughput and energy-efficiency. Based on these contributions, the proposed chip supports all predominant schemes in NIST’s PQC standardization, while still delivering 44.6% and 10.3% improvements in the throughput and energy-delay product (EDP), respectively, relative to a state-of-the-art design [4].

Wenbo Guo,Shuguo Li

DOI: https://doi.org/10.1109/tc.2023.3320040

IF: 3.183

2023-01-01

IEEE Transactions on Computers

Abstract:Facing the threat of large-scale quantum computers to traditional public-key cryptography, the National Institute of Standards and Technology has conducted Post-Quantum Cryptography algorithms evaluation for a long time, and CRYSTALS-Kyber has been selected to enter the standardization process. In the previous literature, hardware designs can significantly improve the performance of CRYSTALS-Kyber, and the most time-consuming operations are Number Theoretic Transform (NTT) and point-wise multiplication (PWM). However, the split-radix algorithm, which has a lower theoretical complexity in the FFT, has rarely been studied in the NTT. In this paper, we studied whether there are advantages of introducing split-radix algorithms into the NTT defined by CRYSTALS-Kyber and detailed derived the split-radix algorithms for the forward and inverse NTT without pre- or post-processing. By further optimizing the split-radix algorithm for the forward NTT, one of the three modular multipliers in the $\boldsymbol{L}$L-shaped butterfly unit is replaced by shifting-and-addition, which will reduce the hardware resource consumption. Besides, we proposed a recombined formula for PWM, which reduces the capacity of the intermediate data RAM for PWM by 25%. Together with the proposed hardware scheduling method, the above algorithms can improve performance and save hardware resources.

Zhe Liu,Reza Azarderakhsh,Howon Kim,Hwajeong Seo

DOI: https://doi.org/10.1007/978-3-319-62024-4_6

2017-01-01

Abstract:ARM NEON architecture has occupied a significant share of high-end Internet of Things platforms such as mini computer, tablet and smartphone markets due to its low cost and high performance. This paper studies efficient techniques of lattice-based cryptography on ARM processor and presents the first implementation of ring-LWE encryption on ARM NEON architecture. We propose a vectorized version of Iterative Number Theoretic Transform (NTT) for high-speed computation and present a 32-bit variant of SAMS2 technique, original from Liu et al. in CHES2015, for fast reduction. Subsequently, we present a full-fledged implementation of Ring-LWE by taking advantage of proposed and previous optimization techniques. Ultimately, our ring-LWE implementation requires only 145 k clock cycles for encryption and 32.8 k cycles for decryption for $$n=256$$. These results are more than 17.6 times faster than the fastest ECC implementation on ARM NEON with same security level.

Luís Fiolhais,Leonel Sousa

DOI: https://doi.org/10.48550/arXiv.2309.17414

2023-09-30

Abstract:Trusted Platform Modules (TPMs), which serve as the root of trust in secure systems, are secure crypto-processors that carry out cryptographic primitives. Should large-scale quantum computing become a reality, the cryptographic primitives adopted in the TPM 2.0 standard will no longer be secure. Thus, the design of TPMs that provide Quantum Resistant (QR) primitives is of utmost importance, in particular with the restrictions imposed by embedded systems. In this paper, we investigate the deployment of QR primitives and protocols in the standard TPM 2.0. Cryptographic algorithms that are already in the NIST QR cryptography standardization process, as well as an Oblivious Transfer (OT), a fundamental cryptographic primitive, are the QR cryptographic schemes selected to extend TPM 2.0. In particular, the Kyber algorithm for key encapsulation, the Dilithium algorithm for digital signature, and a 3-round Random Oblivious Transfer (ROT) protocol, supporting protocols such as Multi-Party Computation and Private Set Intersection (PSI). The QR extended TPM 2.0 is implemented in ARM and RISC-V embedded processors, its computational requirements are analysed and experimentally evaluated in comparison to the standard TPM. It is shown that Kyber and Dilithium are faster at creating keys than RSA, due to the key size and secure random sampling required in RSA, while they meet the same performance level as ECC. For digital signatures, both in signature creation and verification, Dilithium is on par with RSA and ECC. The ROT protocol shows decent performance and its support required small modifications to the TPM. This paper also shows that it would be possible to backport the required code to already available TPMs to ensure that current TPMs remain secure against quantum adversaries.

Cryptography and Security

Guozhu Xin,Jun Han,Tianyu Yin,Yuchao Zhou,Jianwei Yang,Xu Cheng,Xiaoyang Zeng

DOI: https://doi.org/10.1109/tcsi.2020.2983185

2020-08-01

Abstract:In the 5G era, massive devices need to be securely connected to the edge of communication networks, while emerging quantum computers can easily crack the traditional public-key ciphers. Lattice-based cryptography (LBC) is one of the most promising types of schemes in all post-quantum cryptography (PQC) due to its security and efficiency. To meet the requirements of high-throughput and diverse application scenarios of 5G, we investigate the vectorization of kernel algorithms of several LBC candidates and thus present a domain-specific vector processor, VPQC, leveraging the extensible RISC-V architecture. To support the parallel computation of number theoretic transform (NTT) of different dimensions (from 64 to 2048), a vector NTT unit is implemented in VPQC. Besides, a vector sampler executing both uniform sampling and binomial sampling is also employed. Evaluated under TSMC 28nm technology, the vector coprocessor of VPQC consumes 942k equivalent logic gates and 12KB memories. Experimental results show that VPQC can speed up several typical key encapsulation mechanisms (NewHope, Kyber and LAC) by an order of magnitude compared with previous state-of-the-art hardware implementations.

Honglin Kuang,Yifan Zhao,Yi Sun,Jun Han

DOI: https://doi.org/10.1109/ASICON58565.2023.10396597

2023-01-01

Abstract:We present a general vector instruction extension applicable for both ARM NEON and RISC-V Vector Extension. The extension targets efficient bit-manipulation and can provide considerable speedup for applications in GF(2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">m</sup> ) such as code-based post-quantum cryptography schemes. The effectiveness of the extension is evaluated by using the custom instructions to optimize the kernel operations in BIKE key-encapsulation schemes. We first innovate vectorized versions of bit-polynomial multiplication and inversion algorithms in GF(2 <sup xmlns:mml="http://www.w3.org/1998/Math/MathML" xmlns:xlink="http://www.w3.org/1999/xlink">m</sup> ) and propose vector instruction extension. Furthermore, a configurable hardware unit has been proposed to support custom operations of different bandwidths at little cost and constant latency. Both experiments on Xilinx UltraScale+ ZCU104 for ARM and simulations on gem5 for RISC-V have been carried out. Compared to portable C implementation, the result shows a speedup for bit-polynomial multiplication and inversion of up to 13x and 16x in ARM, 13x and 22x in RISC-V respectively.

Zewen Ye,Ray C. C. Cheung,Kejie Huang

DOI: https://doi.org/10.1109/tcsii.2022.3184703

2022-01-01

IEEE Transactions on Circuits & Systems II Express Briefs

Abstract:Polynomial multiplication is the key and time-consuming operation among various operators in Post-Quantum Cryptography (PQC), which aims to find quantum-resistant algorithms to prevent attacks launched by quantum computers. Number Theoretic Transform (NTT) is an efficient algorithm that can accelerate the polynomial multiplication from $\mathcal {O}(n^{2})$ to $\mathcal {O}(nlog(n))$ . In this brief, we present a pipelined NTT (PipeNTT) hardware architecture in FPGA to achieve high throughput with fewer hardware resources. The dataflow and the butterfly unit are optimized to minimize the latency. To fulfil the proposed dataflow, a Block RAM (BRAM) based reordering unit is designed to further reduce the hardware resource. Moreover, our architecture can also be applied to Inverse-NTT (INTT). Compared to state-of-the-art parallel designs, our design achieves a 30% lower area-time product with 3x less memory space requirement.

Neng Zhang,Bohan Yang,Chen,Shouyi Yin,Shaojun Wei,Leibo Liu

DOI: https://doi.org/10.13154/tches.v2020.i2.49-72

2020-01-01

IACR Transactions on Cryptographic Hardware and Embedded Systems

Abstract:NewHope-NIST is a promising ring learning with errors (RLWE)-based postquantum cryptography (PQC) for key encapsulation mechanisms. The performance on the field-programmable gate array (FPGA) affects the applicability of NewHope-NIST. In RLWE-based PQC algorithms, the number theoretic transform (NTT) is one of the most time-consuming operations. In this paper, low-complexity NTT and inverse NTT (INTT) are used to implement highly efficient NewHope-NIST on FPGA. First, both the pre-processing of NTT and the post-processing of INTT are merged into the fast Fourier transform (FFT) algorithm, which reduces N and 2N modular multiplications for N-point NTT and INTT, respectively. Second, a compact butterfly unit and an efficient modular reduction on the modulus 12289 are proposed for the low-complexity NTT/INTT architecture, which achieves an improvement of approximately 3× in the area time product (ATP) compared with the results of the state-of-the-art designs. Finally, a highly efficient architecture with doubled bandwidth and timing hiding for NewHope-NIST is presented. The implementation results on an FPGA show that our design is at least 2.5× faster and has 4.9× smaller ATP compared with the results of the state-of-the-art designs of NewHope-NIST on similar platforms.

Daniel J. Bernstein,Billy Bob Brumley,Ming-Shing Chen,Nicola Tuveri

DOI: https://doi.org/10.48550/arXiv.2106.08759

2021-12-15

Abstract:Google's CECPQ1 experiment in 2016 integrated a post-quantum key-exchange algorithm, newhope1024, into TLS 1.2. The Google-Cloudflare CECPQ2 experiment in 2019 integrated a more efficient key-exchange algorithm, ntruhrss701, into TLS 1.3. This paper revisits the choices made in CECPQ2, and shows how to achieve higher performance for post-quantum key exchange in TLS 1.3 using a higher-security algorithm, sntrup761. Previous work had indicated that ntruhrss701 key generation was much faster than sntrup761 key generation, but this paper makes sntrup761 key generation much faster by generating a batch of keys at once. Batch key generation is invisible at the TLS protocol layer, but raises software-engineering questions regarding the difficulty of integrating batch key exchange into existing TLS libraries and applications. This paper shows that careful choices of software layers make it easy to integrate fast post-quantum software, including batch key exchange, into TLS with minor changes to TLS libraries and no changes to applications. As a demonstration of feasibility, this paper reports successful integration of its fast sntrup761 library, via a lightly patched OpenSSL, into an unmodified web browser and an unmodified TLS terminator. This paper also reports TLS 1.3 handshake benchmarks, achieving more TLS 1.3 handshakes per second than any software included in OpenSSL.

Cryptography and Security

Santiago Sánchez-Solano,Eros Camacho-Ruiz,Macarena C Martínez-Rodríguez,Piedad Brox

DOI: https://doi.org/10.3390/s22052057

2022-03-07

Abstract:Concern for the security of embedded systems that implement IoT devices has become a crucial issue, as these devices today support an increasing number of applications and services that store and exchange information whose integrity, privacy, and authenticity must be adequately guaranteed. Modern lattice-based cryptographic schemes have proven to be a good alternative, both to face the security threats that arise as a consequence of the development of quantum computing and to allow efficient implementations of cryptographic primitives in resource-limited embedded systems, such as those used in consumer and industrial applications of the IoT. This article describes the hardware implementation of parameterized multi-unit serial polynomial multipliers to speed up time-consuming operations in NTRU-based cryptographic schemes. The flexibility in selecting the design parameters and the interconnection protocol with a general-purpose processor allow them to be applied both to the standardized variants of NTRU and to the new proposals that are being considered in the post-quantum contest currently held by the National Institute of Standards and Technology, as well as to obtain an adequate cost/performance/security-level trade-off for a target application. The designs are provided as AXI4 bus-compliant intellectual property modules that can be easily incorporated into embedded systems developed with the Vivado design tools. The work provides an extensive set of implementation and characterization results in devices of the Xilinx Zynq-7000 and Zynq UltraScale+ families for the different sets of parameters defined in the NTRUEncrypt standard. It also includes details of their plug and play inclusion as hardware accelerators in the C implementation of this public-key encryption scheme codified in the LibNTRU library, showing that acceleration factors of up to 3.1 are achieved when compared to pure software implementations running on the processing systems included in the programmable devices.

Ruben De Smet,Robrecht Blancquaert,Tom Godden,Kris Steenhaut,An Braeken

DOI: https://doi.org/10.3390/s24031030

IF: 3.9

2024-02-06

Sensors

Abstract:Elliptic curve cryptography is a widely deployed technology for securing digital communication. It is the basis of many cryptographic primitives such as key agreement protocols, digital signatures, and zero-knowledge proofs. Fast elliptic curve cryptography relies on heavily optimised modular arithmetic operations, which are often tailored to specific micro-architectures. In this article, we study and evaluate optimisations of the popular elliptic curve Curve25519 for ARM processors. We specifically target the ARM NEON single instruction, multiple data (SIMD) architecture, which is a popular architecture for modern smartphones. We introduce a novel representation for 128-bit NEON SIMD vectors, optimised for SIMD parallelisation, to accelerate elliptic curve operations significantly. Leveraging this representation, we implement an extended twisted Edwards curve Curve25519 back-end within the popular Rust library "curve25519-dalek". We extensively evaluate our implementation across multiple ARM devices using both cryptographic benchmarks and the benchmark suite available for the Signal protocol. Our findings demonstrate a substantial back-end speed-up of at least 20% for ARM NEON, along with a noteworthy speed improvement of at least 15% for benchmarked Signal functions.

engineering, electrical & electronic,chemistry, analytical,instruments & instrumentation

Jieyu Zheng,Haoliang Zhu,Yifan Dong,Zhenyu Song,Zhenhao Zhang,Yafang Yang,Yunlei Zhao

2024-04-23

Abstract:TLS is extensively utilized for secure data transmission over networks. However, with the advent of quantum computers, the security of TLS based on traditional public-key cryptography is under threat. To counter quantum threats, it is imperative to integrate post-quantum algorithms into TLS. Most PQ-TLS research focuses on integration and evaluation, but few studies address the improvement of PQ-TLS performance by optimizing PQC implementation. For the TLS protocol, handshake performance is crucial, and for post-quantum TLS (PQ-TLS) the performance of post-quantum key encapsulation mechanisms (KEMs) directly impacts handshake performance. In this work, we explore the impact of post-quantum KEMs on PQ-TLS performance. We explore how to improve ML-KEM performance using the latest Intel's Advanced Vector Extensions instruction set AVX-512. We detail a spectrum of techniques devised to parallelize polynomial multiplication, modular reduction, and other computationally intensive modules within ML-KEM. Our optimized ML-KEM implementation achieves up to 1.64x speedup compared to the latest AVX2 implementation. Furthermore, we introduce a novel batch key generation method for ML-KEM that can seamlessly integrate into the TLS protocols. The batch method accelerates the key generation procedure by 3.5x to 4.9x. We integrate the optimized AVX-512 implementation of ML-KEM into TLS 1.3, and assess handshake performance under both PQ-only and hybrid modes. The assessment demonstrates that our faster ML-KEM implementation results in a higher number of TLS 1.3 handshakes per second under both modes. Additionally, we revisit two IND-1-CCA KEM constructions discussed in Eurocrypt22 and Asiacrypt23. Besides, we implement them based on ML-KEM and integrate the one of better performance into TLS 1.3 with benchmarks.

Cryptography and Security

Ali Yahya Hummdi,Amer Aljaedi,Zaid Bassfar,Sajjad Shaukat Jamal,Mohammad Mazyad Hazzazi,Mujeeb Ur Rehman

DOI: https://doi.org/10.1109/access.2024.3425813

IF: 3.9

2024-07-19

IEEE Access

Abstract:Polynomial multiplications based on the number theoretic transform (NTT) are critical in lattice-based post-quantum cryptography algorithms. Therefore, this paper presents a platform-agnostic unified hardware accelerator design (Unif-NTT) to compute the forward and inverse operations of the NTT for the CRYSTALS-Kyber algorithm. Moreover, a unified design (Unif-BU) of the Cooley-Tukey and Gentleman-Sande butterflies is presented using two adders, multipliers, subtractors, routing multiplexers and barret-based modular reduction units. Finally, a dedicated controller is implemented for efficient control functionalities. The implementation results are realized on field-programmable gate array (FPGA) and application-specific integrated circuit (ASIC) platforms. The Unif-NTT requires 1664 and 1792 clock cycles for one forward and inverse NTT computations, respectively. It can operate up to a maximum frequency of and over Virtex-7 FPGA and 28nm ASIC platforms, respectively. The Unif-NTT is 26% more efficient in Area-Time-Product compared to the most area-optimized NTT accelerator from the state-of-the-art. The Unif-NTT design is suited for applications that demand reasonable hardware resources with processing speed.

computer science, information systems,telecommunications,engineering, electrical & electronic